Remote loader installation

Overview

The remote loader is used to synchronize data between the meta directory and the connected system (AD, LDAP, MySQL, etc). It is required to open the communication port (default 8090 (TCP) incoming) for the following IP addresses within your firewall:

134.76.9.64/28

For system requirements see: System requirements

Installation on Windows

Remote loader files: - download -
Remote loader service pack: - download -
Sectigo-chain: - download -
Documentation remote loader installation (NetIQ) P. 47 ff: - link -
Documentation remote loader configuration (NetIQ) P. 32 ff: - link -
Documentation Creating an Administrative Account (NetIQ) P. 26 ff: - link -
PW-Filter installation P 47 ff: - link -

Installation

  • Download remote loader files and Remote loader service pack
  • Download Sectigo chain
  • Extract remote loader files and certificate
  • If necessary unblock extracted files e.g. childitem -path C:\Downloads\RemoteLoader4.8Setup -recurse | unblock-file
  • Run install.exe
    • Recommendation: Do not install directly on a domain controller but on a active directory member server.
  • Accept license agreement (can be ignored - is associated with IDENTITY MANAGER server software not the remote loader)
  • Run IdentityManagerServer\install.exe of service pack
  • How to verify if SP is installed.
    • Go to the installation path (Default: C:\NetIQ\IDM\RemoteLoader\64bit). Open preferences of file dirxml_remote.exe.
    • Switch to details tab. Check if productversion is 4.8.6.0 where 6 ist the Number of the downloaded SP.

Configuration

  • Run rlconsole.exe within the installation path as administrator (Default: C:\NetIQ\IDM\RemoteLoader)
  • Click add
  • Add description
  • Choose driver (eg. ADDriver.dll)
  • Choose the IP address where to listen (Default: All)
  • Set communication port (Default: 8090)
  • Set remote loader password (required by GWDG)
    • Requirements: At least 12 character of upper and lower case letters and digits (no special character)
  • Set driver object password (required by GWDG)
    • Requirements: At least 12 character of upper and lower case letters and digits (no special character)
  • Activate SSL
  • Choose path to Sectigo-chain.b64
  • Check “Remote Loader-Service für diese Treiber-Instanz erstellen”
  • Accept (don't start the remote loader service)
  • Open windows services (services.msc) identify the “DirXML Loader” Service and enter the active directory user as service logon account
  • Start the remote loader

Active Directory User

  • The user who runs the service has to be in the local administrator group (Local Users and Groups → Groups → Administrators).
  • Necessary user right: “Replicating Directory Changes” (not Replication Directory Changes All) for all object and all descendant objects for the domain
    • Domain → Properties → Tab Security → Advanced → Add
    • Choose user → “clear all” → check “Replicating Directory Changes”
  • Necessary user right: “Log on as a service”
  • Full access for relevant objects in ou/container
    • Container → Properties → Security → Advanced → Add → choose user → Descendant User objects/Descendant Group objects → check “Full control”

Installation on Linux

The installation on Linux systems differs between certified systems (eg SLES 15, RHEL 8, etc. see ) and non-certified systems. If you are using a non-certified system eg. Ubuntu the Java remote loader has to be installed.

Installation on certified Linux systems

Remote loader files: - download -
Remote loader service pack: - download -
Sectigo-chain: - download -
Documentation remote loader installation (NetIQ) P. 65ff: - link -

Prerequisites

  • Download remote loader files
  • Download Sectigo chain certificate
  • Extract the certificate
CentOS

The 32Bit version of glibc has to be installed on x86_64 systems:

yum install glibc.i686

Installation

  • Extract remote loader
  • Edit file silent.properties
    • METADIRECTORY_SERVER_SELECTED=false
    • WEB_ADMIN_SELECTED=false
    • UTILITIES_SELECTED=false
    • Choose remote loader
      • 32 Bit
        • CONNECTED_SYSTEM_SELECTED=true
        • X64_CONNECTED_SYSTEM_SELECTED=false
      • 64 Bit
        • CONNECTED_SYSTEM_SELECTED=false
        • X64_CONNECTED_SYSTEM_SELECTED=true
  • Run the following commands as root in the setup directory:
chmod -R 755 *
./idm_linux.bin -i silent -f silent.properties

Installation on **non-certified** Linux systems

Remote Loader files: - download -
Sectigo-chain: - download -
Documentation remote loader installation (NetIQ) P. 75ff: - link -

Prerequisites

  • Download remote loader files
  • Download Sectigo chain certificate
  • Extract the certificate
  • JRE Java8u112, at a minimum is required

Install Java remote loader

  • Extract Java remote loader
  • Make dirxml_jremote and create_keystore executable

Configuration

  • Change into installation directory eg. /opt/novell/dirxml/bin/x86_64/
  • Create keystore file
  • ./create_keystore Sectigo-chain.b64
  • Edit dirxml_jremote and replace
  • jarlist=`ls /opt/novell/eDirectory/lib/dirxml/classes/*.jar`
  • with
  • jarlist=`ls /<installation path>/lib/*.jar`
  • Add/Edit config8000.txt

Example LDAP Konfiguration

-commandport 8000
-connection "port=8090 keystore='<installation directory>/dirxml.keystore' storepass=dirxml"
-trace 4
-tracefile ./trace8000.log
-tracefilemax 10M
-class com.novell.nds.dirxml.driver.ldap.LDAPDriverShim
  • Set remote loader and driver object password (both are required by GWDG):
./dirxml_jremote -config config8000.txt -sp <remote loader password> <driver object password>
  • Run the Java remote loader:
./dirxml_jremote -config config8000.txt
  • Java has to be in PATH variable!
PATH=$PATH:/path/to/java/bin/

Remote loader start script example

#!/bin/sh
INSTDIR=/opt/novell/dirxml/bin/x86_64/
STAGEDIR=$INSTDIR/stage
USER=ldap

export PATH=/usr/local/bin:$PATH

cd $INSTDIR

case "$1" in

  stop)
    kill `ps aux | grep '[d]irxml_remote' | awk '{ print $2}'`
    ;;

  start|*)
    echo -n " rloader"
    exec > /dev/null 2>&1
    touch trace8000.log
    chown $USER trace8000.log
    su $USER -c "$INSTDIR/dirxml_jremote -config $INSTDIR/config8000.txt &"
    ;;

esac

Remote loader unit file example

  • Requires user: remoteloader and group: remoteloader
  • touch trace8000.log && chown remoteloader:remoteloader trace8000.log
[Unit]
Description=IDM Remote Loader
After=docker.service

[Service]
Type=simple
ExecStart=/opt/novell/remoteloader/dirxml_jremote -config config8000.txt
WorkingDirectory=/opt/novell/remoteloader
User=remoteloader
Group=remoteloader
Restart=on-failure

[Install]
WantedBy=multi-user.target

Univention Corporate Server

Import Univention CA to Keystore to allow self signed LDAP certificate LDAP Certificate must also be available in Keystore

keytool -import -trustcacerts -alias univention-ca -file /opt/idm/univention-ca.pem -keystore dirxml.keystore
keytool -import -trustcacerts -alias ldap -file /opt/idm/ldap.pem -keystore dirxml.keystore
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies